Malware Analysis Report

2025-01-02 06:05

Sample ID 241123-tqgh3stnhl
Target 1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe
SHA256 1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577
Tags
fabookie nullmixer redline socelars vidar 915 media25pqs aspackv2 discovery dropper execution infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577

Threat Level: Known bad

The file 1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe was found to be: Known bad.

Malicious Activity Summary

fabookie nullmixer redline socelars vidar 915 media25pqs aspackv2 discovery dropper execution infostealer spyware stealer

RedLine

Fabookie

Socelars family

Redline family

Nullmixer family

Vidar

Fabookie family

Socelars

Socelars payload

Vidar family

RedLine payload

NullMixer

Detect Fabookie payload

Vidar Stealer

Detected Nirsoft tools

NirSoft WebBrowserPassView

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up geolocation information via web service

Drops Chrome extension

Checks installed software on the system

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks SCSI registry key(s)

Enumerates system info in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 16:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 16:15

Reported

2024-11-23 16:17

Platform

win7-20240903-en

Max time kernel

79s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036f89e9eef8271.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0318a4864788e065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036bb55bb30d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0337242833e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03c16839a9b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03ff1e89e18831.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CCPP8.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0376e7a8f67a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MNCC5.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7777af.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036f89e9eef8271.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036f89e9eef8271.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0318a4864788e065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0318a4864788e065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036bb55bb30d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036bb55bb30d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0376e7a8f67a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0376e7a8f67a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0337242833e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0337242833e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CCPP8.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CCPP8.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CCPP8.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CCPP8.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MNCC5.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MNCC5.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MNCC5.tmp\Mon034a40f4c2.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1248 set thread context of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f7777af.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0376e7a8f67a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0337242833e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-MNCC5.tmp\Mon034a40f4c2.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0318a4864788e065.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-CCPP8.tmp\Mon034a40f4c2.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036bb55bb30d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036f89e9eef8271.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036f89e9eef8271.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036f89e9eef8271.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MNCC5.tmp\Mon034a40f4c2.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03c16839a9b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe
PID 1044 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe
PID 1044 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe
PID 1044 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe
PID 1044 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe
PID 1044 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe
PID 1044 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe
PID 2892 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe

"C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon03f186a0d10.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon0337242833e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon034a40f4c2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon03184374b6827dae2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon0333ecac229eb22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon03ff1e89e18831.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon036f89e9eef8271.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon0376e7a8f67a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon0318a4864788e065.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon03c16839a9b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon036bb55bb30d.exe /mixtwo

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe

Mon0333ecac229eb22.exe

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036f89e9eef8271.exe

Mon036f89e9eef8271.exe

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe

Mon03f186a0d10.exe

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe

Mon034a40f4c2.exe

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0318a4864788e065.exe

Mon0318a4864788e065.exe

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036bb55bb30d.exe

Mon036bb55bb30d.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0337242833e.exe

Mon0337242833e.exe

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe

Mon03184374b6827dae2.exe

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03c16839a9b.exe

Mon03c16839a9b.exe

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03ff1e89e18831.exe

Mon03ff1e89e18831.exe

C:\Users\Admin\AppData\Local\Temp\is-CCPP8.tmp\Mon034a40f4c2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CCPP8.tmp\Mon034a40f4c2.tmp" /SL5="$60200,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0376e7a8f67a.exe

Mon0376e7a8f67a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 272

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe" -u

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Users\Admin\AppData\Local\Temp\is-MNCC5.tmp\Mon034a40f4c2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MNCC5.tmp\Mon034a40f4c2.tmp" /SL5="$7015A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe" /SILENT

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 452

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1756 -s 1132

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1648 -s 516

C:\Users\Admin\AppData\Local\Temp\f7777af.exe

"C:\Users\Admin\AppData\Local\Temp\f7777af.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 hornygl.xyz udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 mstdn.social udp
US 172.67.74.161:443 iplogger.org tcp
DE 49.13.236.103:443 mstdn.social tcp
DE 49.13.236.103:443 mstdn.social tcp
DE 49.13.236.103:443 mstdn.social tcp
DE 49.13.236.103:443 mstdn.social tcp
US 8.8.8.8:53 qoto.org udp
US 8.8.8.8:53 bthuu.com udp
US 8.8.8.8:53 c.pki.goog udp
US 100.24.65.138:443 qoto.org tcp
GB 142.250.200.3:80 c.pki.goog tcp
N/A 127.0.0.1:49281 tcp
N/A 127.0.0.1:49283 tcp
US 8.8.8.8:53 r10.o.lencr.org udp
FR 2.21.132.216:80 r10.o.lencr.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 datingmart.me udp
FI 65.108.69.168:13293 tcp
US 8.8.8.8:53 www.hhiuew33.com udp
FR 77.233.110.97:8080 tcp
FI 65.108.69.168:13293 tcp
US 8.8.8.8:53 crl.microsoft.com udp
FR 95.100.202.74:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
RO 2.20.102.93:80 www.microsoft.com tcp
FR 77.233.110.97:8080 tcp
FI 65.108.69.168:13293 tcp
FI 65.108.69.168:13293 tcp
FI 65.108.69.168:13293 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS4143C446\setup_install.exe

MD5 cd66b43b6558d0e17a0e92fd7ac42787
SHA1 90aedefa4b7082676d02568eb31012e40d1d6655
SHA256 ea8907747931024f386f148247b5cf0c1fff53df0d61ab6a1d85c84809511aab
SHA512 5f5848a056eaab118bf2a80fdf5fc0b6262654c9564a955f9e956ed89c102c610346e1d8de75a4b1840166062fe3299b70c049c8f6d25109cc073a91288a0b8b

\Users\Admin\AppData\Local\Temp\7zS4143C446\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2892-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2892-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2892-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2892-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2892-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2892-74-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon034a40f4c2.exe

MD5 99918fe3d5011f5e084492e0d9701779
SHA1 55f7a03c6380bb9f51793be0774681b473e07c9f
SHA256 558a67043fbcd0bc37d34c99ff16f66b259b24b44811516ceff678964ec655c4
SHA512 682f1c6c648319c974e608defa41b714d0e8c3670d3f5e669b7227aaf5400285f9f0c6c5c82c50518031d8a93a3cfd591031651068d5a458a6606f2bf51d3e12

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03f186a0d10.exe

MD5 28a0b3751b521af221baa3a76f32c8c1
SHA1 f71aaa12ac600549120b062cbbd852b1a1807c43
SHA256 710ceb98e12443d28a9fd280b453eade11bc3483f6280dc224eb48ed327028ca
SHA512 a3773694f59a8f4c7cd06f7dc97c41bf943cf2e9b6283027964890f0122e26c9822e6b91b3ac23eacefa6954b0b983e7dd9226bfb37682f1645f8c85b24fda4f

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036bb55bb30d.exe

MD5 aa75aa3f07c593b1cd7441f7d8723e14
SHA1 f8e9190ccb6b36474c63ed65a74629ad490f2620
SHA256 af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1
SHA512 b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0318a4864788e065.exe

MD5 47e1245ae15e44e2df28280d95ad2741
SHA1 cb5abc70156154368ff10271fa1c1e80dab6d417
SHA256 c614c4dfbc4fd75a9ccd3ed8b14440de34a7c1945ccf865a414e2e3111162696
SHA512 032df7df40c06266c25a25a2efd945bfd7591dc442b3f4183163491f432f1be8ce2b0554067c3fe02361aeb962bd53d20878db3bec495a52c13787b31dceadeb

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0333ecac229eb22.exe

MD5 b6f7de71dcc4573e5e5588d6876311fc
SHA1 645b41e6ea119615db745dd8e776672a4ba59c57
SHA256 73437218cd12895c7a59c0c03009417705ed231d323e3a1ad279750e46bcc8ad
SHA512 ca297d40f0e2cc45d5737627a1aaeec61bf7c6f425acadb14e689b4392fcc4a17e74dc1514fb3bf8d9a6a91b5cea38801996a2a7ee2dee0c335bfb2f103c6d42

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon036f89e9eef8271.exe

MD5 f85794c2bf341a1efe78cdad0b1b4dc5
SHA1 d7ff2be2dafed282b5eda883ee7d02a4eca75194
SHA256 6455d5f4eae530ace507b2ac338777b408e99094acf96bbef7603d7af641b833
SHA512 91f98cff29225a025114013a9ce7423a3e5646725a927606f66577724a691b367004ca8d36ce51f129243a6a87003abd8dd09fa7b195e8ecf70fbc73305f7790

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03184374b6827dae2.exe

MD5 7df1d7d115da507238cf409fa1bd0b91
SHA1 a133c62a14f3871c552a0bcad87a291d5744c2cf
SHA256 2bed8e9c8a557e04ab5f5c3b2a4a26133f62993277dbf0fa0ab574eabb4eddd0
SHA512 2ab249240a4c76d65a225787f2207f38a08cd3e2756bf23c2446343a583fb32a51b5e5674c3af2100a55e53ab49167c462061f251d19e3f89c23526d752c688a

memory/552-101-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03c16839a9b.exe

MD5 8427ae0ce0ded0794b9e0b3dd422702e
SHA1 6e5350072840eb80a09e2c28ce22c2bca8e2aab1
SHA256 8ca5df6f0a4bbc6ae6a0f56b5b2c72e253c4cc72c40919d8984039de8f45e41a
SHA512 90cb046d28eb7e956f99e024a89c05a14cae99580122d99fe49872b36c8f8de95331dd4fee60458b118f96ab40baf770c3f07dbcef2b4b6530832fcb00feac78

\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon03ff1e89e18831.exe

MD5 74e88352f861cb12890a36f1e475b4af
SHA1 7dd54ab35260f277b8dcafb556dd66f4667c22d1
SHA256 64578ffca840ebc3f791f1faa21252941d9fd384622d54a28226659ad05650a3
SHA512 18a6911b0d86088d265f49471c52d901a39d1549f9ac36681946a1b91fdb2f71f162ddf4b4659be061302fae6d616852d44c9a151f66eb53bbcc2fde6e7b9463

memory/2016-133-0x00000000004E0000-0x00000000005BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-CCPP8.tmp\Mon034a40f4c2.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2016-132-0x00000000004E0000-0x00000000005BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0337242833e.exe

MD5 d1ec05df172b32843f1564bc34feef68
SHA1 29ae8b1a96f294b2f420c7710c81740e79eb2b91
SHA256 e7bfb6e1cba02dd07c20e937a535193f25e87194be8fa6f949a967dc7bd919cf
SHA512 500e55b9976837acf11c97021361f7a57c7425f25e95aab20f5d83fe5c8d582de7bcae0b500cbaf85da52fc739aaaef7a3bd5f8d8b500820b83a0bbd286d26fb

memory/1756-139-0x0000000000190000-0x00000000001E8000-memory.dmp

memory/2016-115-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1112-114-0x0000000002810000-0x00000000028EE000-memory.dmp

memory/1028-153-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/552-154-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1248-159-0x00000000001F0000-0x000000000027A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UB8U4.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-UB8U4.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/1756-155-0x0000000000150000-0x0000000000156000-memory.dmp

memory/1724-148-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\812C3TW5TJQGXU6EYTLA.temp

MD5 a1fddb22125225ca6c43a0b07ec9d1e0
SHA1 efa113a24949e1920ae72791a8e9400105880a02
SHA256 a7332c6678ef6b19dc1ef1313f351c2b517e12e3c13aab04f115c7036218e625
SHA512 919c5a1396f7507b0fc5bd168f3fa5ab3bcff70f8645997b18479570cd84b43f478f453bb6cf1742b341362b830408d28a93283936fbe3e034751630af1d93ba

memory/1112-113-0x0000000002810000-0x00000000028EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4143C446\Mon0376e7a8f67a.exe

MD5 a3ba569405d0fa3f577e9c83b6c303af
SHA1 2ba0d6724aa30dc474ee00a06573e8652a117eac
SHA256 2799a1a7d1a6d1e1dc2746bea858c4052cab03833b069beac261a9f4ad56be90
SHA512 f23907f89db9e9bc6ce80faf1577a461de9ddd23009069a3ab4ab8bc18f610a6c5b44bac5469145fdc61ba130755c02baf83783d7a31d0de747d1b11f260ad0d

memory/2892-73-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2892-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2892-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1756-167-0x00000000001F0000-0x0000000000236000-memory.dmp

memory/2892-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS4143C446\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS4143C446\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1756-171-0x0000000000160000-0x0000000000166000-memory.dmp

memory/2224-185-0x0000000002C20000-0x0000000003C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6E5D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2224-202-0x000000002E060000-0x000000002E111000-memory.dmp

memory/2224-203-0x000000002E120000-0x000000002E1BC000-memory.dmp

memory/2224-206-0x000000002E120000-0x000000002E1BC000-memory.dmp

memory/2224-204-0x000000002E120000-0x000000002E1BC000-memory.dmp

memory/2892-207-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2892-208-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2892-217-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-216-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2892-215-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2892-214-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2892-212-0x000000006EB40000-0x000000006EB63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 7165e9d7456520d1f1644aa26da7c423
SHA1 177f9116229a021e24f80c4059999c4c52f9e830
SHA256 40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
SHA512 fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

memory/1812-226-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2016-229-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1112-228-0x0000000002810000-0x00000000028EE000-memory.dmp

memory/1112-227-0x0000000002810000-0x00000000028EE000-memory.dmp

memory/2932-230-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2932-242-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2932-240-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2932-239-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2932-238-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2932-236-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2932-234-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2932-232-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2016-245-0x00000000004E0000-0x00000000005BE000-memory.dmp

memory/2016-244-0x00000000004E0000-0x00000000005BE000-memory.dmp

memory/280-243-0x0000000000400000-0x000000000053F000-memory.dmp

memory/2824-246-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/2224-247-0x000000002E120000-0x000000002E1BC000-memory.dmp

memory/2224-248-0x000000002E1C0000-0x000000002F347000-memory.dmp

memory/2224-249-0x000000002F350000-0x000000002F3E6000-memory.dmp

memory/2224-250-0x00000000024B0000-0x0000000002540000-memory.dmp

memory/1724-253-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1028-254-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

memory/2016-258-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1028-260-0x00000000023F0000-0x00000000024A1000-memory.dmp

memory/1028-261-0x000000002E130000-0x000000002E1CC000-memory.dmp

memory/1880-262-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2224-263-0x0000000002C20000-0x0000000003C20000-memory.dmp

memory/1028-266-0x000000002E130000-0x000000002E1CC000-memory.dmp

memory/1028-264-0x000000002E130000-0x000000002E1CC000-memory.dmp

memory/1028-268-0x000000002E130000-0x000000002E1CC000-memory.dmp

memory/1028-270-0x000000002F360000-0x000000002F3F6000-memory.dmp

memory/1028-269-0x000000002E1D0000-0x000000002F357000-memory.dmp

memory/1028-271-0x000000002F400000-0x000000002F490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f7777af.exe

MD5 620bda3df817bff8deb38758d1dc668c
SHA1 9933523941851b42047f2b7a1324eb8daa8fb1ff
SHA256 b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3
SHA512 bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

memory/3000-314-0x0000000000D20000-0x0000000000D28000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-23 16:15

Reported

2024-11-23 16:17

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0333ecac229eb22.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-R52T6.tmp\Mon034a40f4c2.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0337242833e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0376e7a8f67a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0337242833e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036f89e9eef8271.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03ff1e89e18831.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0376e7a8f67a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0318a4864788e065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0333ecac229eb22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036bb55bb30d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R52T6.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03c16839a9b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0333ecac229eb22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RHCTS.tmp\Mon034a40f4c2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58a860.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3816 set thread context of 2424 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-R52T6.tmp\Mon034a40f4c2.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036f89e9eef8271.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0376e7a8f67a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0333ecac229eb22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-RHCTS.tmp\Mon034a40f4c2.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0337242833e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036bb55bb30d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e58a860.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0318a4864788e065.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0333ecac229eb22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0318a4864788e065.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0318a4864788e065.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0318a4864788e065.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768521684875111" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0337242833e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0376e7a8f67a.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03c16839a9b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe
PID 5048 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe
PID 5048 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe
PID 3580 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3580 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3580 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3580 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3580 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\WerFault.exe
PID 732 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\WerFault.exe
PID 732 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\WerFault.exe
PID 4832 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe
PID 4832 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe
PID 4832 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe
PID 4952 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0337242833e.exe
PID 4952 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0337242833e.exe
PID 4952 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0337242833e.exe
PID 4520 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe
PID 4520 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe
PID 4520 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe
PID 684 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036f89e9eef8271.exe
PID 684 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036f89e9eef8271.exe
PID 684 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036f89e9eef8271.exe
PID 4780 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03ff1e89e18831.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe

"C:\Users\Admin\AppData\Local\Temp\1cea91d9a0771725646049205b621cd82ac26f325086156e67b0067945df6577N.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon03f186a0d10.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon0337242833e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon034a40f4c2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon03184374b6827dae2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon0333ecac229eb22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon03ff1e89e18831.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon036f89e9eef8271.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon0376e7a8f67a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon0318a4864788e065.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon03c16839a9b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon036bb55bb30d.exe /mixtwo

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3580 -ip 3580

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe

Mon03184374b6827dae2.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe

Mon034a40f4c2.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0337242833e.exe

Mon0337242833e.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe

Mon03f186a0d10.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036f89e9eef8271.exe

Mon036f89e9eef8271.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03ff1e89e18831.exe

Mon03ff1e89e18831.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036bb55bb30d.exe

Mon036bb55bb30d.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0376e7a8f67a.exe

Mon0376e7a8f67a.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0318a4864788e065.exe

Mon0318a4864788e065.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0333ecac229eb22.exe

Mon0333ecac229eb22.exe

C:\Users\Admin\AppData\Local\Temp\is-R52T6.tmp\Mon034a40f4c2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R52T6.tmp\Mon034a40f4c2.tmp" /SL5="$9003A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4432 -ip 4432

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 408

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03c16839a9b.exe

Mon03c16839a9b.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0333ecac229eb22.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0333ecac229eb22.exe" -u

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 972 -ip 972

C:\Users\Admin\AppData\Local\Temp\is-RHCTS.tmp\Mon034a40f4c2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RHCTS.tmp\Mon034a40f4c2.tmp" /SL5="$90066,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe" /SILENT

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 356

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbb5a6cc40,0x7ffbb5a6cc4c,0x7ffbb5a6cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,7539211091383512143,2380606721165681595,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,7539211091383512143,2380606721165681595,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1996 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,7539211091383512143,2380606721165681595,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:8

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 468 -s 920

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,7539211091383512143,2380606721165681595,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,7539211091383512143,2380606721165681595,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,7539211091383512143,2380606721165681595,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,7539211091383512143,2380606721165681595,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,7539211091383512143,2380606721165681595,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Users\Admin\AppData\Local\Temp\e58a860.exe

"C:\Users\Admin\AppData\Local\Temp\e58a860.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 784

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 hornygl.xyz udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 iplogger.org udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 mstdn.social udp
DE 49.13.236.103:443 mstdn.social tcp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 103.236.13.49.in-addr.arpa udp
US 8.8.8.8:53 bthuu.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 datingmart.me udp
US 8.8.8.8:53 r11.o.lencr.org udp
FR 2.21.132.163:80 r11.o.lencr.org tcp
US 8.8.8.8:53 55.221.32.23.in-addr.arpa udp
US 8.8.8.8:53 qoto.org udp
US 100.24.65.138:443 qoto.org tcp
US 8.8.8.8:53 163.132.21.2.in-addr.arpa udp
US 8.8.8.8:53 138.65.24.100.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
FR 2.21.132.163:80 r10.o.lencr.org tcp
FI 65.108.69.168:13293 tcp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
N/A 127.0.0.1:57736 tcp
N/A 127.0.0.1:57738 tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 gp.gamebuy768.com udp
FI 65.108.69.168:13293 tcp
US 8.8.8.8:53 161.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 gp.gamebuy768.com udp
FR 77.233.110.97:8080 tcp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
FI 65.108.69.168:13293 tcp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
FI 65.108.69.168:13293 tcp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
US 8.8.8.8:53 gp.gamebuy768.com udp
FI 65.108.69.168:13293 tcp
US 8.8.8.8:53 gp.gamebuy768.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\setup_install.exe

MD5 cd66b43b6558d0e17a0e92fd7ac42787
SHA1 90aedefa4b7082676d02568eb31012e40d1d6655
SHA256 ea8907747931024f386f148247b5cf0c1fff53df0d61ab6a1d85c84809511aab
SHA512 5f5848a056eaab118bf2a80fdf5fc0b6262654c9564a955f9e956ed89c102c610346e1d8de75a4b1840166062fe3299b70c049c8f6d25109cc073a91288a0b8b

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3580-65-0x0000000000760000-0x00000000007EF000-memory.dmp

memory/3580-68-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3580-67-0x0000000064941000-0x000000006494F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036bb55bb30d.exe

MD5 aa75aa3f07c593b1cd7441f7d8723e14
SHA1 f8e9190ccb6b36474c63ed65a74629ad490f2620
SHA256 af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1
SHA512 b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

memory/3276-84-0x0000000073E30000-0x00000000745E0000-memory.dmp

memory/3276-85-0x0000000073E30000-0x00000000745E0000-memory.dmp

memory/696-87-0x0000000073E30000-0x00000000745E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon036f89e9eef8271.exe

MD5 f85794c2bf341a1efe78cdad0b1b4dc5
SHA1 d7ff2be2dafed282b5eda883ee7d02a4eca75194
SHA256 6455d5f4eae530ace507b2ac338777b408e99094acf96bbef7603d7af641b833
SHA512 91f98cff29225a025114013a9ce7423a3e5646725a927606f66577724a691b367004ca8d36ce51f129243a6a87003abd8dd09fa7b195e8ecf70fbc73305f7790

memory/4432-126-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R52T6.tmp\Mon034a40f4c2.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/3816-127-0x00000000054B0000-0x00000000054CE000-memory.dmp

memory/696-124-0x0000000005900000-0x0000000005C54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1JPF1.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/3816-134-0x0000000005B70000-0x0000000006114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03c16839a9b.exe

MD5 8427ae0ce0ded0794b9e0b3dd422702e
SHA1 6e5350072840eb80a09e2c28ce22c2bca8e2aab1
SHA256 8ca5df6f0a4bbc6ae6a0f56b5b2c72e253c4cc72c40919d8984039de8f45e41a
SHA512 90cb046d28eb7e956f99e024a89c05a14cae99580122d99fe49872b36c8f8de95331dd4fee60458b118f96ab40baf770c3f07dbcef2b4b6530832fcb00feac78

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1wxooex.t0z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3816-102-0x0000000005510000-0x0000000005586000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0333ecac229eb22.exe

MD5 b6f7de71dcc4573e5e5588d6876311fc
SHA1 645b41e6ea119615db745dd8e776672a4ba59c57
SHA256 73437218cd12895c7a59c0c03009417705ed231d323e3a1ad279750e46bcc8ad
SHA512 ca297d40f0e2cc45d5737627a1aaeec61bf7c6f425acadb14e689b4392fcc4a17e74dc1514fb3bf8d9a6a91b5cea38801996a2a7ee2dee0c335bfb2f103c6d42

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0318a4864788e065.exe

MD5 47e1245ae15e44e2df28280d95ad2741
SHA1 cb5abc70156154368ff10271fa1c1e80dab6d417
SHA256 c614c4dfbc4fd75a9ccd3ed8b14440de34a7c1945ccf865a414e2e3111162696
SHA512 032df7df40c06266c25a25a2efd945bfd7591dc442b3f4183163491f432f1be8ce2b0554067c3fe02361aeb962bd53d20878db3bec495a52c13787b31dceadeb

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03ff1e89e18831.exe

MD5 74e88352f861cb12890a36f1e475b4af
SHA1 7dd54ab35260f277b8dcafb556dd66f4667c22d1
SHA256 64578ffca840ebc3f791f1faa21252941d9fd384622d54a28226659ad05650a3
SHA512 18a6911b0d86088d265f49471c52d901a39d1549f9ac36681946a1b91fdb2f71f162ddf4b4659be061302fae6d616852d44c9a151f66eb53bbcc2fde6e7b9463

memory/696-98-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/696-97-0x0000000005720000-0x0000000005786000-memory.dmp

memory/3816-95-0x0000000000C10000-0x0000000000C9A000-memory.dmp

memory/2696-93-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03f186a0d10.exe

MD5 28a0b3751b521af221baa3a76f32c8c1
SHA1 f71aaa12ac600549120b062cbbd852b1a1807c43
SHA256 710ceb98e12443d28a9fd280b453eade11bc3483f6280dc224eb48ed327028ca
SHA512 a3773694f59a8f4c7cd06f7dc97c41bf943cf2e9b6283027964890f0122e26c9822e6b91b3ac23eacefa6954b0b983e7dd9226bfb37682f1645f8c85b24fda4f

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0337242833e.exe

MD5 d1ec05df172b32843f1564bc34feef68
SHA1 29ae8b1a96f294b2f420c7710c81740e79eb2b91
SHA256 e7bfb6e1cba02dd07c20e937a535193f25e87194be8fa6f949a967dc7bd919cf
SHA512 500e55b9976837acf11c97021361f7a57c7425f25e95aab20f5d83fe5c8d582de7bcae0b500cbaf85da52fc739aaaef7a3bd5f8d8b500820b83a0bbd286d26fb

memory/696-90-0x0000000005680000-0x00000000056A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon034a40f4c2.exe

MD5 99918fe3d5011f5e084492e0d9701779
SHA1 55f7a03c6380bb9f51793be0774681b473e07c9f
SHA256 558a67043fbcd0bc37d34c99ff16f66b259b24b44811516ceff678964ec655c4
SHA512 682f1c6c648319c974e608defa41b714d0e8c3670d3f5e669b7227aaf5400285f9f0c6c5c82c50518031d8a93a3cfd591031651068d5a458a6606f2bf51d3e12

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon0376e7a8f67a.exe

MD5 a3ba569405d0fa3f577e9c83b6c303af
SHA1 2ba0d6724aa30dc474ee00a06573e8652a117eac
SHA256 2799a1a7d1a6d1e1dc2746bea858c4052cab03833b069beac261a9f4ad56be90
SHA512 f23907f89db9e9bc6ce80faf1577a461de9ddd23009069a3ab4ab8bc18f610a6c5b44bac5469145fdc61ba130755c02baf83783d7a31d0de747d1b11f260ad0d

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\Mon03184374b6827dae2.exe

MD5 7df1d7d115da507238cf409fa1bd0b91
SHA1 a133c62a14f3871c552a0bcad87a291d5744c2cf
SHA256 2bed8e9c8a557e04ab5f5c3b2a4a26133f62993277dbf0fa0ab574eabb4eddd0
SHA512 2ab249240a4c76d65a225787f2207f38a08cd3e2756bf23c2446343a583fb32a51b5e5674c3af2100a55e53ab49167c462061f251d19e3f89c23526d752c688a

memory/3368-153-0x0000024254110000-0x0000024254168000-memory.dmp

memory/2696-158-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3368-168-0x0000024255E10000-0x0000024255E56000-memory.dmp

memory/3368-170-0x0000024255DF0000-0x0000024255DF6000-memory.dmp

memory/3276-171-0x0000000005140000-0x000000000515E000-memory.dmp

memory/3580-182-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3580-181-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3580-180-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3580-179-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3276-178-0x0000000006750000-0x000000000679C000-memory.dmp

memory/3580-176-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3580-172-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ECUAN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3368-154-0x0000024255DE0000-0x0000024255DE6000-memory.dmp

memory/4968-151-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3412-148-0x0000000000400000-0x0000000000414000-memory.dmp

memory/696-86-0x0000000073E30000-0x00000000745E0000-memory.dmp

memory/3276-83-0x00000000055A0000-0x0000000005BC8000-memory.dmp

memory/696-76-0x0000000073E30000-0x00000000745E0000-memory.dmp

memory/3276-70-0x0000000004E30000-0x0000000004E66000-memory.dmp

memory/3276-69-0x0000000073E3E000-0x0000000073E3F000-memory.dmp

memory/3580-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3580-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3580-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3580-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3580-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3580-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3580-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3580-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3580-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3580-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3580-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8B32B687\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/3580-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4432-185-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 b968c57a14ddada4128356f6e39fb66c6d864d3f
SHA256 0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
SHA512 4d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5

memory/972-186-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1148-192-0x0000000000400000-0x0000000000455000-memory.dmp

memory/696-211-0x000000006EC10000-0x000000006EC5C000-memory.dmp

memory/696-210-0x0000000006D80000-0x0000000006DB2000-memory.dmp

memory/696-221-0x0000000006DC0000-0x0000000006DDE000-memory.dmp

memory/3276-222-0x000000006EC10000-0x000000006EC5C000-memory.dmp

memory/696-233-0x0000000073E30000-0x00000000745E0000-memory.dmp

memory/3276-232-0x00000000075C0000-0x0000000007663000-memory.dmp

memory/3276-234-0x0000000073E30000-0x00000000745E0000-memory.dmp

memory/3276-240-0x0000000007D40000-0x00000000083BA000-memory.dmp

memory/2424-239-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3276-241-0x0000000007700000-0x000000000771A000-memory.dmp

memory/2424-247-0x0000000005400000-0x000000000550A000-memory.dmp

memory/4108-248-0x0000000002C20000-0x0000000003C20000-memory.dmp

memory/3276-250-0x0000000007780000-0x000000000778A000-memory.dmp

memory/2424-249-0x0000000005330000-0x000000000536C000-memory.dmp

memory/2424-242-0x00000000057A0000-0x0000000005DB8000-memory.dmp

memory/2424-243-0x00000000052D0000-0x00000000052E2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mon03184374b6827dae2.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/3276-254-0x0000000073E30000-0x00000000745E0000-memory.dmp

memory/3276-255-0x0000000007970000-0x0000000007A06000-memory.dmp

memory/3276-253-0x0000000073E3E000-0x0000000073E3F000-memory.dmp

memory/3276-256-0x0000000007900000-0x0000000007911000-memory.dmp

memory/696-260-0x0000000007360000-0x000000000736E000-memory.dmp

memory/3276-261-0x0000000007940000-0x0000000007954000-memory.dmp

memory/1292-262-0x0000000000400000-0x000000000053F000-memory.dmp

memory/696-263-0x0000000073E30000-0x00000000745E0000-memory.dmp

memory/696-266-0x0000000007450000-0x0000000007458000-memory.dmp

memory/696-264-0x0000000007460000-0x000000000747A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 7165e9d7456520d1f1644aa26da7c423
SHA1 177f9116229a021e24f80c4059999c4c52f9e830
SHA256 40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
SHA512 fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

memory/4224-268-0x0000000000400000-0x000000000047C000-memory.dmp

memory/696-284-0x0000000073E30000-0x00000000745E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b0fec07507d2192a9f0613dcf285ecf6
SHA1 ddad506e51e3a2eee70917241d4f59878999c068
SHA256 26de84db525e6238b4bc30324ee69ff5f4ad928ddf4af9b9ddc59172f045ca96
SHA512 07fdcb38cc70b71c4a7232c5ed20a3e78d56e15f7f9e99af9d79328e7ed33dd02a25d3e0f69db481af32afe9674aef8e5bb2748ce5bb3fbafaac5cd6ed3569d3

memory/3276-288-0x0000000073E30000-0x00000000745E0000-memory.dmp

memory/4108-294-0x000000002DA30000-0x000000002DAE1000-memory.dmp

memory/4108-295-0x000000002DAF0000-0x000000002DB8C000-memory.dmp

memory/4108-302-0x000000002DAF0000-0x000000002DB8C000-memory.dmp

memory/4108-300-0x000000002DAF0000-0x000000002DB8C000-memory.dmp

memory/3412-303-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 2e9d08d52880309cd9dcf011cf3b21d1
SHA1 8fda4720b491d637d61b8aefab957092ffb24c28
SHA256 6750b9f23a8c66f712ca83cdafd75da821563dee1afc813bc9b53c9e4b3f9b26
SHA512 94abf3aeb44d704d9af4946b0d1b270e396b6693e341f43f1bd27facec01204aec5671ec55c3e320d05606b9ed6d0518d32a9e4a30dfe5025ac0f0e30b8177b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 323a8aecb373992550d8f1fcadb6ce9d
SHA1 075e3542af7dbcb0df5d1ff1c9a21298f1348124
SHA256 decf401a1aaf084846d7e352992ae4440a4d98bce047d6acada838b15ff8d103
SHA512 34581cb860a13b40514cf265af4f03c2c0d751ed6486b473ad22a0d770f1442211b4a675b50e0eb154c95da3d5440fd11c10689d04eef19ece6ef88cf526db1f

\??\pipe\crashpad_4360_XTBRJVKYPVOVTGLL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5088-309-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4108-314-0x0000000002C20000-0x0000000003C20000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4108-321-0x000000002DAF0000-0x000000002DB8C000-memory.dmp

memory/4108-322-0x000000002DB90000-0x000000002ED17000-memory.dmp

memory/4108-323-0x000000002ED20000-0x000000002EDB6000-memory.dmp

memory/4108-324-0x000000002EDC0000-0x000000002EE50000-memory.dmp

memory/2300-327-0x00000000023A0000-0x00000000033A0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1b400e1b1f04f73365159f1cf58447b0
SHA1 4c29ecc091eec03d4cde1345e9771fcb18fc0bf2
SHA256 425f4ebc406d0d28de3e6a7e8962ff4a44ae8f84a1f1a3ff6bd686186621cf9f
SHA512 e2b783ba4b37f57d2ad1a24b2933e80b521beb7041fc4625aeebd2f77dcebf24fc21fa0533f13b81d51c24d465dced19d439375688e4c56e8f419d05a823def8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a0b848fd8e973c52f2372f9e3e6cfff5
SHA1 3e5c032e9d78f72371bec66a8890384b6289c9d1
SHA256 302882b245da1c3401e67eabc0ebd616a90956fcafb226a06fa9d90201c193fe
SHA512 0434cc4a0aeb94e4cdc116731e89524437aaca2c4d3515a6dee1fc07b779e0c9d9af8eb78fd0a1f47d5bb0becc87994f6502b4998b5d6b726a15947ddc627653

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 a6d5c6c2fef6d01d9479633869cc951d
SHA1 587442042b9d9aff9a74ab4bbc2a425381c15b43
SHA256 07215ec20b128706214bdb94e8742158c0f095d47a104e14a1b3199182ecebfa
SHA512 a498a1c3269cbd2895034b95d6134ef2e99fb84c9b2743394ddfc4c099f921847c1bb034fef4c08a45cd482f26c84cf6a4c07f22b59cfea4c96c4b2983bf4a41

memory/2300-356-0x000000002D2C0000-0x000000002D371000-memory.dmp

memory/2300-357-0x000000002D380000-0x000000002D41C000-memory.dmp

memory/2300-360-0x000000002D380000-0x000000002D41C000-memory.dmp

memory/2300-358-0x000000002D380000-0x000000002D41C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7c60981a693ea61ed53ad43c5a166971
SHA1 e5315559578704ee94af2cd3d0cc41002ad3a8cb
SHA256 ab1714f613051a8f668c80a3db4b023b4c17f7503943fe2f2e17e29a88aff27b
SHA512 2d977fed3117c4701d6652cc86e71b51186443e603adacdda421c3d3f584cb8cf8f1f71882dc3696e7b919874b4cbdbae31863c514d310284a6b13946015647e

memory/2300-369-0x000000002D380000-0x000000002D41C000-memory.dmp

memory/2300-370-0x000000002D420000-0x000000002E5A7000-memory.dmp

memory/2300-371-0x000000002E5B0000-0x000000002E646000-memory.dmp

memory/2300-372-0x000000002E650000-0x000000002E6E0000-memory.dmp

memory/2300-375-0x000000002E650000-0x000000002E6E0000-memory.dmp

memory/2300-376-0x00000000023A0000-0x00000000033A0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 b2964ffff45dd2518080d743d6e43e0f
SHA1 5916954be5f548016aeb06e4511fd014a0bddbe9
SHA256 26cb0c1685047ea65ba10c13a2c7707b42ab602e56f16b4334cfeb5eedfc3a1b
SHA512 ae11b2e97d3a0760f06f29363846c98466e05ca4c1f3064543e57cfe2a295b3417667f00d41bae2b45514a9cb039c8b385c9a4363b4d1a5c61f9a3d50c04557b

memory/2300-385-0x0000000000090000-0x0000000000093000-memory.dmp

memory/2300-386-0x00000000000A0000-0x00000000000A5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 837def43dc4154bb259617ab7f7c437b
SHA1 7d37c5a190863404bc85b77fa8ff4f55c1793950
SHA256 466bf67da427137ff1e8e1afeed35336adb0085eafbed188d28c6af9c65f66a7
SHA512 f613ed0435a7f1f851c1bde85b1a3ff71f6dfd0e5ba77c21583c3ed8f45bed67a7a4d3e2be03ae5334f8bb29ed480b719db84e9787d3602a89933f1be63d4bc8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0dd1a32cc766ba1625bcb4da19415c20
SHA1 aee50fdd58242d4e693d983e6906ccf5c1492ddf
SHA256 4ed68ff620cbc1419c4f9194d01fcebdde6e937e48f96e045cc62066ce127a03
SHA512 698b14ea39d2b237a3cde725569e80f46ffd4e8aeea75cbe165256f7aedbb2c8ede0a75f81d49379a924c22ccdef1f1076f24e8e5c139074cc1fc429a622d108

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e9d9f70f-bcf7-4880-9943-760b122083e9.tmp

MD5 627c4d88249130ba9a2191bc07e3404f
SHA1 d6daa5c9f046014a6e32213fb48f2daa97ec7e08
SHA256 85ad5b7ff5de308771ef9d682b80723dc1e516ec2c4c6b58a9b04392d33effa7
SHA512 6459f21020e378a0a510c9453ec5e895fbaed4be186f77905038852b348c60ee554cb4cb8ad2c4899d2ef9f9355abd7efb2c14ef9c0753835436ee230bec7c73

C:\Users\Admin\AppData\Local\Temp\e58a860.exe

MD5 620bda3df817bff8deb38758d1dc668c
SHA1 9933523941851b42047f2b7a1324eb8daa8fb1ff
SHA256 b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3
SHA512 bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

memory/2400-447-0x0000000000560000-0x0000000000568000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3fb284ebd29e241731962516f4c55dd8
SHA1 f382781d57145f4f4e37a0257a9edbf56f232baa
SHA256 db0872efe2587d51663db5b7ca7bcda5a9f8ac47d145961668cd63337cf523c0
SHA512 0f29e31c3179fe3a3628bfe8d4d7626d0eed1626b5453311f52bd04641c1087a3cb1d23754bcd0a6951f9b9ba75153e54283881ba2d06228e29b147183208974

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 bd63da12e1fb8ff9d70badf9e2d523de
SHA1 906629f10ae75788dfe2b00f66dad8e52407e976
SHA256 963ddf774b1f50f23d7f04aa88c457f8fecd256a3bdc2a73e42013a856341327
SHA512 1cb910465a8d023307e3188fe3c37f3d20c79dc306404428b2286e4c4529083f4608438af767cf4bc9cec6eba62b907cc09ca8e4b11ba2b30101389f9d1ff24c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c91672924aad646d0f252e2d3d6d6332
SHA1 ab08a1a0b7c4846689581472915dcc9142488043
SHA256 bd5a4f3b573469174a4785478a0e2bcedaecd433c96c3f65aa4f9f14e4294bd0
SHA512 c546fa95acaadc780bf73dd13c148b244dae457d491e73b39aa33bd0cac9a6f7d3b8786a9b10cfac8ac24f6aead8dc956bff6b10b32ae96c0f666e5bf12c1c3b